Cross-site request forgery (XSRF) is a class of attacks that depend on the inaccurate assumption made by most “secure” web applications that proof of identity is equivalent to proof of intent. This vulnerability is implicit in the way web browsers operate, and it is worsened by scripting languages embedded in the browser.
For example, a vulnerable site may host a web application where a client has current, active authentication credentials. If an attacker can induce the client's web browser to submit a request to the vulnerable site, the attack can occur without any active participation by the user of the client. The user of the client may not even be aware of the activity until well after the fact. In one scenario, the request that the client's web browser is tricked into submitting may be a request to a bank for transferring money from the user's account to the attacker's account.
When executed properly, an attack can be virtually undetectable. Given the appropriate circumstances, victims may not see any evidence of illegitimate activities in their browser window. From the logs of the vulnerable web application, it typically looks like a completely intentional transaction. Victims normally cannot even prove that they are victims. By destroying the trust required for commerce to function, it is possible that this problem will completely undermine web commerce.